Rafiot
commented
2 years ago That's a very interesting point, thank you for opening the issue.
For what I can tell (important to know that webdev isn't my forte), the iframe detected by Lookyloo loads https://1885474562-atari-embeds.googleusercontent.com/embeds/16cb204cf3a9d4d223a0a3fd8b0eec5d/inner-frame-minified.html?jsh=m;/_/scs/abc-static/_/js/k=gapi.lb.en.NnK9YPjtg-w.O/d=1/rs=AHpOoo9KePDGVlGjp-rlXwDM1kUO2Eh4gg/m=__features__, which contains:
<!DOCTYPE html>
<html>
<head>
<style>body,html,iframe{margin:0;padding:0;height:100%;width:100%;overflow:hidden}.forceIosScrolling{overflow:scroll;-webkit-overflow-scrolling:touch}</style>
</head>
<body>
<iframe id='userHtmlFrame' frameborder='0' scrolling='yes'>
</iframe>
<script>function loadGapi(){var loaderScript=document.createElement('script');loaderScript.setAttribute('src','https://apis.google.com/js/api.js?checkCookie=1');loaderScript.onload=function(){this.onload=function(){};loadGapiClient();};loaderScript.onreadystatechange=function(){if(this.readyState==='complete'){this.onload();}};(document.head||document.body||document.documentElement).appendChild(loaderScript);}function updateUserHtmlFrame(userHtml,enableInteraction,forceIosScrolling){var frame=document.getElementById('userHtmlFrame');if(enableInteraction){if(forceIosScrolling){var iframeParent=frame.parentElement;iframeParent.classList.add('forceIosScrolling');}else{frame.style.overflow='auto';}}else{frame.setAttribute('scrolling','no');frame.style.pointerEvents='none';}clearCookies();clearStorage();frame.contentWindow.document.open();frame.contentWindow.document.write('<base target="_blank">'+userHtml);frame.contentWindow.document.close();}function onGapiInitialized(){gapi.rpc.call('..','innerFrameGapiInitialized');gapi.rpc.register('updateUserHtmlFrame',updateUserHtmlFrame);}function loadGapiClient(){gapi.load('gapi.rpc',onGapiInitialized);}if(document.readyState=='complete'){loadGapi();}else{self.addEventListener('load',loadGapi);}function clearCookies(){var cookies=document.cookie.split(";");for(var i=0;i<cookies.length;i++){var cookie=cookies[i];var equalPosition=cookie.indexOf("=");var name=equalPosition>-1?cookie.substr(0,equalPosition):cookie;document.cookie=name+"=;expires=Thu, 01 Jan 1970 00:00:00 GMT";document.cookie=name+"=;expires=Thu, 01 Jan 1970 00:00:01 GMT ;domain=.googleusercontent.com";}}function clearStorage(){try{localStorage.clear();sessionStorage.clear();}catch(e){}}</script>
</body>
</html>
This one (userHtmlFrame) is initialized by the javascript code, so I was expecting to see it in the rendered content (which is what you pasted above), but it's not there.
In the specific example you posted, I still think we see the whole page: unless I'm mistaken, the iframe that we don't have is related to the google cookies popup at the bottom of the page (?)
More generally, we will need to replace splash by something more robust and able to render pages better soon-ish: https://github.com/Lookyloo/lookyloo/discussions/243
Is your feature request related to a problem? Please describe.
In a Phishing page, you may have many (at least a few) frames, as well as nested frames. However, the most interesting one(s) are these with the biggest "canvas" (WxHxZ). It could be interesting to identify the most visible iframe(s?) in the rendered HTML. A nice example : https://lookyloo.circl.lu/tree/3ae710ca-a077-4521-b558-959412d92b90 which is the capture of https://sites.google.com/view/nefsuddma/accueil 3 nested iframes (Lookyloo seems to find only one, or at least identify only one URL as an iframe).
Describe the solution you'd like
add a view of the iframes tree to the result with the size (WxH) of the iFrame (inc. Z index) in the viewport. In case of nested iframes, the size would need to be adjusted regarding the position and size of subframes in the viewport. A very small iframe in a big iframe may not be important, a large iframe in another is the more interesting to look at (as it is probably its content which is displayed).
Describe alternatives you've considered
No response
Additional context
Rendered HTML code of the example: